Unfortunately companies use the "security boogeyman" to push ever-increasing ads, telemetry, performance degradation, features you probably don't want that disrupt your workflow and muscle memory, breaking API changes to libraries, etc.
If you could sign a contract with e.g. Microsoft (or hell, NPM) to only receive updates that explicitly fix bugs and security holes, that'd be amazing - but I've rarely if ever seen it.
During the early XP days Windows had granular updates where you could decline everything but security updates if you wanted. Even when they pushed out the Windows Genuine Advantage update (Which offered a user no genuine advantages at all, just possibly hassles) you could still decline it.
Exactly--if I could guarantee that I was getting just security updates and bug fixes, I'd be happy to turn on automatic Windows updates (and application updates too, for that matter).
If you could sign a contract with e.g. Microsoft (or hell, NPM) to only receive updates that explicitly fix bugs and security holes, that'd be amazing - but I've rarely if ever seen it.